Security association bundling for an interface

What is claimed is: 1. A method for secure communication between a source machine executing in a first site and a destination machine executing in a second site, comprising: receiving, at the destination machine, first and second packets from the source machine through, respectively, first and second virtual private network (VPN) tunnels established between a first virtual tunnel interface (VTI) of the source machine and a second VTI of the destination machine, the first and second packets associated with a first packet flow of a first session; determining that the first packet is associated with a first security association (SA) and the second packet is associated with a second SA; based on the determination, processing, by a first processing core of the destination machine, the first packet to decrypt the first packet based on the first SA; based on the determination, processing, by a second processing core of the destination machine, the second packet to decrypt the second packet based on the second SA; transmitting, by the second VTI, a third packet on a third VPN tunnel to the source machine, the third packet associated with a second packet flow initiated by the destination endpoint in response to receiving the first flow, the second packet flow being associated with the first session; and updating, at the second VTI, one or more state tables for the first session, based on the first, second, and third packets, the first and second VTIs each comprising a routable interface for routing network traffic between the source machine and the destination machine, the second VTI providing one or more stateful services for the first and second packet flows based on the one or more state tables. 2. The method of claim 1 , wherein the first VTI: receives the first and second packets from at least one source endpoint; assigns the first SA to the first packet, such that after processing the first packet to encrypt the first packet based on the first SA, the first packet is transmitted to the destination machine via the first VPN tunnel; and assigns the second SA to the second packet, such that after processing the second packet to encrypt the second packet based on the second SA, the second packet is transmitted to the destination machine via the second VPN tunnel. 3. The method of claim 2 , wherein the first VTI receives the first and second packets on a receive-side scaling (RSS) queue of the source machine, wherein the RSS queue is associated with a processing core of the source machine. 4. The method of claim 1 , wherein the first and second VPN tunnels are associated with a single session between the source and destination machines. 5. The method of claim 1 , wherein the destination machine comprises a plurality of VTIs, the plurality of VTIs comprising the second VTI. 6. The method of claim 1 , wherein the one or more stateful services comprises a firewall. 7. The method of claim 1 , wherein the source and destination machines are gateways located, respectively, at edges of networks of the first and second sites. 8. The method of claim 1 , wherein updating one or more states of the one or more packet flows comprises updating one or more state tables that include forwarding data associated with the one or more packet flows. 9. A non-transitory computer readable medium comprising instructions that, when executed by one or more processors of a computing system, cause the computing system to perform a method for secure communication between a source machine executing in a first site and a destination machine executing in a second site, the method comprising: receiving, at the destination machine, first and second packets from the source machine through, respectively, first and second virtual private network (VPN) tunnels established between a first virtual tunnel interface (VTI) of the source machine and a second VTI of the destination machine, the first and second packets associated with a first packet flow of a session; determining that the first packet is associated with a first security association (SA) and the second packet is associated with a second SA; based on the determination, processing, by a first processing core of the destination machine, the first packet to decrypt the first packet based on the first SA; based on the determination, processing, by a second processing core of the destination machine, the second packet to decrypt the second packet based on the second SA; transmitting, by the second VTI, a third packet on a third VPN tunnel to the source machine, the third packet associated with a second packet flow initiated by the destination endpoint in response to receiving the first flow, the second flow being associated with the first session; and updating, at the second VTI, one or more state tables for the first session based on the first, second, and third packets, the first and second VTIs each comprising a routable interface for routing network traffic between the source machine and the destination machine, the second VTI providing one or more stateful services for the first and second packet flows based on the one or more state tables. 10. The non-transitory computer readable medium of claim 9 , wherein the first VTI: receives the first and second packets from at least one source endpoint; assigns the first SA to the first packet, such that after processing the first packet to encrypt the first packet based on the first SA, the first packet is transmitted to the destination machine via the first VPN tunnel; and assigns the second SA to the second packet, such that after processing the second packet to encrypt the second packet based on the second SA, the second packet is transmitted to the destination machine via the second VPN tunnel. 11. The non-transitory computer readable medium of claim 10 , wherein the first VTI receives the first and second packets on a receive-side scaling (RSS) queue of the source machine, wherein the RSS queue is associated with a processing core of the source machine. 12. The non-transitory computer readable medium of claim 9 , wherein the first and second VPN tunnels are associated with a single session between the source and destination machines. 13. The non-transitory computer readable medium of claim 9 , wherein the destination machine comprises a plurality of VTIs, the plurality of VTIs comprising the second VTI. 14. The non-transitory computer readable medium of claim 9 , wherein the one or more stateful services comprises a firewall. 15. The non-transitory computer readable medium of claim 9 , wherein the source and destination machines are gateways located, respectively, at edges of networks of the first and second sites. 16. A computer system, comprising: a memory; and a processor coupled to the memory, the processor being configured to: receive, at the destination machine, first and second packets from the source machine through, respectively, first and second virtual private network (VPN) tunnels established between a first virtual tunnel interface (VTI) of the source machine and a second VTI of the destination machine, the first and second packets associated with a first packet flow of a first session; determine that the first packet is associated with a first security association (SA) and the second packet is associated with a second SA; based on the determination, process, by a first processing core of the destination machine, the first packet to decrypt the first packet based on the first SA; based on the determination, process, by a second processing core of the destination machine, the second packet to decrypt the sec